From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9A696C43333 for ; Wed, 18 Mar 2020 22:06:16 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6410F20777 for ; Wed, 18 Mar 2020 22:06:16 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="EGq9j8ta" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727238AbgCRWGP (ORCPT ); Wed, 18 Mar 2020 18:06:15 -0400 Received: from mail-ed1-f67.google.com ([209.85.208.67]:37503 "EHLO mail-ed1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727020AbgCRWGP (ORCPT ); Wed, 18 Mar 2020 18:06:15 -0400 Received: by mail-ed1-f67.google.com with SMTP id b23so85469edx.4 for ; Wed, 18 Mar 2020 15:06:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TDXZZkhqjusv291He84nhKQlMbFezXaGS9XY4w8phpE=; b=EGq9j8ta0EzuoZHC99ctGlzz5FJgMcHEAbQAY1LzC7m2yp+tVJkMr4r617GRqI0ca6 Z6smPIs417FGSdP6HYXkQWHLvupus3gRbB6ttGrFxU6ommiXyDGunEw+TRP0TgHao1TU 4Zuy5cg6A3jg+knqeniLehrw6GKjBIxp7c/IQ4oZLNCTkhb+VBMb4rkbGmGRA69VSJR9 LYyO7JXPLwrPS+tF7PpR1NKN+psauSaajm2Y6qFCN6eNWY78mekonIly4LPjoSQO9Xwj pnC3ZVehyi0uC3wqWOG172opZ0qSIKIrqp40cuBX5baeZ0IuWv1Udr4hof6nAKv0n3Rx 3PAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TDXZZkhqjusv291He84nhKQlMbFezXaGS9XY4w8phpE=; b=gPZOamzd+Dy4FBnCIcWl88zA367m14gPiKOJePj+1jJHYfSHIuLrRlZZIB05qvaosq SYwmGU0kW4lNsZ2R8GScoVEMsN2P0s6YHd72qw+r+nUNzTS0W+zye/vrhe8l7OKY4k0j LbNErywHqlIINfH1dHfZ/J9wE9pRFyKSlGhMSx4O4LxabU97hv+gI1YKuKVa+lJ8RLdp K6Lu+zWQsZglYxel5UBAl6vQ9NmgUwiFy1UQ3ocGCg8/5U5GQIskOBZm+NYOz1gZNX+i Ti7DhbhvD0FG9PpDJI96FgXGktuCK7w6qMyx0s9xBny9ri+cSCgArccBpANv0KeU19By l3yA== X-Gm-Message-State: ANhLgQ3HKhbZOE5CRM2LYAUCSUqzgn6oa2kkpuWLXpWrQrH0vW9YHTm4 UED7er1ksQHKrzOIr51MUPZdwTbK9e2as080gbt4 X-Google-Smtp-Source: ADFU+vtW4mfjwnuF24IoXcYzayNDU8snpAdY8T07RFr+nxOE2IbbjW1zRxqJVYGpUJx8Vd5VOBHbcoPpD4xtj23EMDs= X-Received: by 2002:a17:906:cb93:: with SMTP id mf19mr378815ejb.272.1584569171696; Wed, 18 Mar 2020 15:06:11 -0700 (PDT) MIME-Version: 1.0 References: <3142237.YMNxv0uec1@x2> <20200312193037.2tb5f53yeisfq4ta@madcap2.tricolour.ca> <20200313185900.y44yvrfm4zxa5lfk@madcap2.tricolour.ca> <20200318212630.mw2geg4ykhnbtr3k@madcap2.tricolour.ca> <20200318215550.es4stkjwnefrfen2@madcap2.tricolour.ca> In-Reply-To: <20200318215550.es4stkjwnefrfen2@madcap2.tricolour.ca> From: Paul Moore Date: Wed, 18 Mar 2020 18:06:00 -0400 Message-ID: Subject: Re: [PATCH ghak90 V8 07/16] audit: add contid support for signalling the audit daemon To: Richard Guy Briggs Cc: Steve Grubb , linux-audit@redhat.com, nhorman@tuxdriver.com, linux-api@vger.kernel.org, containers@lists.linux-foundation.org, LKML , dhowells@redhat.com, netfilter-devel@vger.kernel.org, ebiederm@xmission.com, simo@redhat.com, netdev@vger.kernel.org, linux-fsdevel@vger.kernel.org, Eric Paris , mpatel@redhat.com, Serge Hallyn Content-Type: text/plain; charset="UTF-8" Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org On Wed, Mar 18, 2020 at 5:56 PM Richard Guy Briggs wrote: > On 2020-03-18 17:42, Paul Moore wrote: > > On Wed, Mar 18, 2020 at 5:27 PM Richard Guy Briggs wrote: > > > On 2020-03-18 16:56, Paul Moore wrote: > > > > On Fri, Mar 13, 2020 at 2:59 PM Richard Guy Briggs wrote: > > > > > On 2020-03-13 12:29, Paul Moore wrote: > > > > > > On Thu, Mar 12, 2020 at 3:30 PM Richard Guy Briggs wrote: > > > > > > > On 2020-02-13 16:44, Paul Moore wrote: > > > > > > > > This is a bit of a thread-hijack, and for that I apologize, but > > > > > > > > another thought crossed my mind while thinking about this issue > > > > > > > > further ... Once we support multiple auditd instances, including the > > > > > > > > necessary record routing and duplication/multiple-sends (the host > > > > > > > > always sees *everything*), we will likely need to find a way to "trim" > > > > > > > > the audit container ID (ACID) lists we send in the records. The > > > > > > > > auditd instance running on the host/initns will always see everything, > > > > > > > > so it will want the full container ACID list; however an auditd > > > > > > > > instance running inside a container really should only see the ACIDs > > > > > > > > of any child containers. > > > > > > > > > > > > > > Agreed. This should be easy to check and limit, preventing an auditd > > > > > > > from seeing any contid that is a parent of its own contid. > > > > > > > > > > > > > > > For example, imagine a system where the host has containers 1 and 2, > > > > > > > > each running an auditd instance. Inside container 1 there are > > > > > > > > containers A and B. Inside container 2 there are containers Y and Z. > > > > > > > > If an audit event is generated in container Z, I would expect the > > > > > > > > host's auditd to see a ACID list of "1,Z" but container 1's auditd > > > > > > > > should only see an ACID list of "Z". The auditd running in container > > > > > > > > 2 should not see the record at all (that will be relatively > > > > > > > > straightforward). Does that make sense? Do we have the record > > > > > > > > formats properly designed to handle this without too much problem (I'm > > > > > > > > not entirely sure we do)? > > > > > > > > > > > > > > I completely agree and I believe we have record formats that are able to > > > > > > > handle this already. > > > > > > > > > > > > I'm not convinced we do. What about the cases where we have a field > > > > > > with a list of audit container IDs? How do we handle that? > > > > > > > > > > I don't understand the problem. (I think you crossed your 1/2 vs > > > > > A/B/Y/Z in your example.) ... > > > > > > > > It looks like I did, sorry about that. > > > > > > > > > ... Clarifying the example above, if as you > > > > > suggest an event happens in container Z, the hosts's auditd would report > > > > > Z,^2 > > > > > and the auditd in container 2 would report > > > > > Z,^2 > > > > > but if there were another auditd running in container Z it would report > > > > > Z > > > > > while the auditd in container 1 or A/B would see nothing. > > > > > > > > Yes. My concern is how do we handle this to minimize duplicating and > > > > rewriting the records? It isn't so much about the format, although > > > > the format is a side effect. > > > > > > Are you talking about caching, or about divulging more information than > > > necessary or even information leaks? Or even noticing that records that > > > need to be generated to two audit daemons share the same contid field > > > values and should be generated at the same time or information shared > > > between them? I'd see any of these as optimizations that don't affect > > > the api. > > > > Imagine a record is generated in a container which has more than one > > auditd in it's ancestry that should receive this record, how do we > > handle that without completely killing performance? That's my > > concern. If you've already thought up a plan for this - excellent, > > please share :) > > No, I haven't given that much thought other than the correctness and > security issues of making sure that each audit daemon is sufficiently > isolated to do its job but not jeopardize another audit domain. Audit > already kills performance, according to some... > > We currently won't have that problem since there can only be one so far. > Fixing and optimizing this is part of the next phase of the challenge of > adding a second audit daemon. > > Let's work on correctness and reasonable efficiency for this phase and > not focus on a problem we don't yet have. I wouldn't consider this > incurring technical debt at this point. I agree, one stage at a time, but the choice we make here is going to have a significant impact on what we can do later. We need to get this as "right" as possible; this isn't something we should dismiss with a hand-wave as a problem for the next stage. We don't need an implementation, but I would like to see a rough design of how we would address this problem. > I could see cacheing a contid string from one starting point, but it may > be more work to search that cached string to truncate it or add to it > when another audit daemon requests a copy of a similar string. I > suppose every full contid string could be generated the first time it is > used and parts of it used (start/finish) as needed but that > search/indexing may not be worth it. I hope we can do better than string manipulations in the kernel. I'd much rather defer generating the ACID list (if possible), than generating a list only to keep copying and editing it as the record is sent. -- paul moore www.paul-moore.com